Contents

What is a zero-day attack? We define it as a virus or other exploit that takes advantage of a newly discovered hole in a program or operating system before the software developer has made a fix availableor before they're even aware the hole exists.

"Zero day" is the day you open a virus-infected e-mail attachment or get hit by a drive-by download because the antivirus or antispyware software you diligently kept up to date knew nothing of the brand-new attacks.

Typically, when security researchers find a vulnerability or hole in some piece of software, they announce it, and then the companies work on creating fixes as quickly as they can. These fixes, either patches from the original software vendors or signaturestiny pieces of code that identify threatsare then quickly distributed.

Unfortunately, more and more frequently, we're seeing attacks becoming widespread before the fixes are in place. Some black hats are identifying vulnerabilities on their own and exploiting them before the Microsofts and Symantecs of the world know about them. "These attacks are still relatively rare," says Saman Amarasinghe, CTO of the security software company Determina. "But they're happening." Worse, many others will attack a vulnerability within hours after a company such as Microsoft tells the world it's there. In the past, virus writers needed a certain amount of expertise to exploit a new software vulnerability. Nowadays, there's ready access to tools that can take patch code and almost instantly turn it into a worm or virus.

One simple example came in August, when Microsoft announced a serious vulnerability in the Windows Plug and Play service. Microsoft released a patch on the same day. Within a week, "proof of concept" exploit code for the vulnerability appeared, followed by six actual worms, specifically the Zotob familyhardly instantaneous, but less time than many companies might take to update all their vulnerable systems.

As Zotob and the related attacks were worms, we might expect our anti-virus software to protect us against them. But here too, the established order failed many users: By the time antivirus companies acquired samples, wrote a signature to identify them, and distributed those signatures to users, the worms had time to have spread far and wide.

How far? How wide? AV-Test ( www.av-test.org ), a computer security research group at Germany's Otto-von-Guericke-University Magdeburg, tracks the antivirus industry's response to various worms. It found that a few companies had signatures out within hours. But others took longerin some cases more than two daysto get fixes out. (See the chart at right.) In that time, tens of thousands of systems were infected, according to antivirus vendor Trend Micro.

It could have been even worse: Users with up-to-date firewalls were protected from many of these worms, as long as the firewall just blocked a connection from an unknown program. (That's right: Those infected typically did not have any software firewall running.)

Even without specific signatures, a number of antivirus products were able to block some or all of the worms by using heuristic means of trying to understand what the programs were doing. This means the programs are using rules that look at the software, rather than just specific signatures, to keep out threats. The two most common approaches here are code scanning, looking within new programs for known methods of exploiting security vulnerabilities, and behavior blocking, watching what a program does and stopping it if it seems to be doing something unexpected.

Many traditional antivirus programs add such heuristics to their signature-based detection to catch these new problems, with varying success. And a few new products take the unconventional approach of eschewing signatures and relying only on heuristic methods.

Though it may seem odd to ignore a proven method of protecting against viruses and other malware, it might work. When AV-Test looked at Panda Software's behavior-monitoring TruPrevent, it found that the software blocked all six of those Plug and Playexploiting worms.

Because we're seeing the time between vulnerability and attack go down, and because these products make bold claims about completely protecting your system even without looking for signatures, we tested four "proactive" threat protection programs for this story. Our tests and AV-Test's tests showed mixed results. And even the developers of the behavior-blocking tools aren't yet ready to tell you to uninstall your traditional antivirus software. Rather, the behavior-blocking AV vendors talk about how their programs are compatible with conventional signature-based antivirus software.

Still, we're reluctant to suggest that most users should buy another product to supplement their antivirus product. To begin with, we think most people are better off buying a security suite from a single vendor rather than piecing together antivirus, firewall, antispam, and antispyware apps. Panda is moving in the right direction, adding its TruPrevent product to its security suite. We'd like to see the other security suite vendors improve their heuristic detection.

Unfortunately, the growing number of zero-day threats means even that may not be enough. Heuristic approaches may be the way. We can only hope these mature into commonly used programs quickly; otherwise, the next zero-day attack could become a real disaster.

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service

//our current issue

Select Term:

24 issues for $29.99 ONLY $1.25 an issue! Lock in Your Savings!

12 issues for $19.99ONLY $1.67 an issue!

State

Country

This transaction is secure

Automatic Renewal Program: Your subscription will continue without interruption for as long as you wish, unless
you instruct us otherwise. Your subscription will automatically renew at the end of the term unless you authorize
cancellation. Each year, you'll receive a notice and you authorize that your credit/debit card will be charged the
annual subscription rate(s). You may cancel at any time during your subscription and receive a full refund on all
unsent issues. If your credit/debit card or other billing method can not be charged, we will bill you directly instead. Contact Customer Service